Computer Big Lab

Security overview

It is important to keep your computer secure, not only to protect data on the computer itself, but on the network as well. A good security system confirms the identity of the people who are attempting to access the resources on your computer, protects specific resources from inappropriate access by users, and provides a simple, efficient way to set up and maintain security on your computer.

To help you accomplish these goals, Windows 2000 Professional offers these security features:

User Accounts

To use a computer that is running Windows 2000, you must have a user account, which consists of a unique user name and a password. Windows 2000 verifies your user name and password when you press CTRL+ALT+DEL and then type your user name and your password. If your user account has been disabled or deleted, Windows 2000 prevents you from accessing the computer, ensuring that only valid users have access to the computer. Double-click Users and Passwords in Control Panel to create users, add or remove users from existing groups, and change user passwords.

Group Accounts

Users must have certain user rights and permissions to perform tasks on a computer running Windows 2000. Group accounts help you efficiently assign those user rights and permissions to users. Windows 2000 Professional comes with many built-in groups based on the tasks users commonly perform, such as the Administrators, Backup Operators, or Users groups. Assigning users to one or more of the built-in groups gives most users all of the user rights and permissions they need to perform their jobs. Double-click Users and Passwords in Control Panel to add or remove users from existing groups.

Encryption (NTFS drives only)

Encrypting files and folders makes them unreadable to unauthorized users. If a user attempting to access an encrypted file has the private key to that file (that is, if the user either encrypted the file personally or is a registered recovery agent), the user will be able to open the file and work with it transparently as a normal document. A user without the private key to the file is denied access. Encryption is available only on NTFS drives.

File and Folder Permissions (NTFS drives only)

When you set permissions on a file or folder, you specify the groups and users whose access you want to restrict or allow, and then select the type of access. It is more efficient to specify group accounts when you assign permissions to objects, so that you can simply add users to the appropriate group when you need to allow or restrict access for those users. For example, you can give managers Full Control of a folder that contains electronic timesheets, and then give employees Write access so that they can copy timesheets to that folder, but not read the contents of the folder. File and folder permissions can be set only on NTFS drives.

Shared Folder Permissions

If you are a member of the Administrators or Power Users group, you can share folders on your local computer so that users on other computers can access those folders. By assigning shared folder permissions to any NTFS, FAT, or FAT32 shared folder, you can restrict or allow access to those folders over the network. Use NTFS folder permissions if the shared folder is located on an NTFS drive. NTFS permissions are effective on the local computer and over the network.

Printer Permissions

Because shared printers are available to all users on the network, you might want to limit access for some users by assigning printer permissions. For example, you could give all nonadministrative users in a department the Print permission and all managers the Print and Manage Documents permissions. By doing this, all users and managers can print documents, but managers can change the status of any print job submitted by any user.

Auditing

You can use auditing to track which user account was used to access files or other objects, as well as logon attempts, system shutdowns or restarts, and similar events. Before any auditing takes place, you must use Group Policy to specify the types of events you want to audit. For example, to audit a folder, you first enable Audit Object Access in the Auditing policy in Group Policy. Next, you set up auditing like you do permissions: You choose the object, such as a file or folder, then select the users and groups whose actions you want to audit. Finally, you choose the actions you want to audit, such as attempts to open or delete the restricted folder. You can audit both successful and failed attempts. You track auditing activity by using Event Viewer to view the Security log.

User Rights

User rights are rules that determine the actions a user can perform on a computer. In addition, user rights control whether a user can log on to a computer directly (locally) or over the network, add users to local groups, delete users, and so on. Built-in groups have sets of user rights already assigned. Administrators usually assign user rights by adding a user account to one of the built-in groups or by creating a new group and assigning specific user rights to that group. Users who are subsequently added to a group are automatically granted all user rights assigned to the group account. User rights are managed using Group Policy.